The majority of the 21.5 million current and former federal employees, including some with the NCUA, whose data was compromised as a result of the catastrophic Office of Personnel Management breach should be notified that they were affected by Thanksgiving.

The government is currently soliciting bids for government-wide identity monitoring data breach response and protection services. Bids are due on Friday for blanket purchase agreements, which are estimated to cost $500 million and cover fallout from previous incursions and faster responses for future cyberattacks.

While the five-year blanket purchase agreements include multiple contractors, a single provider must deal with the aftermath of the most recent OPM data breach. That contractor will have 12 weeks from the awarding date (on or close to Aug. 21) to send out millions of notifications. It will also offer identity protection services to affected individuals at no cost.

In June and July, the OPM discovered two separate but related cybersecurity breach incidents, which it blamed on Chinese hackers and impacted the personal data of current and former Federal government employees, contractors and others.

After the first breach, announced in June, the OPM reportedly spent more than $20 million for identity protection firm CSID to notify affected individuals and provide them with identity protection services. Government personnel, however, complained of website crashes and multi-hour call center waiting times to get basic information about affected areas and how to sign up for the 18 months of complimentary credit monitoring services that were offered.

When a second breach, announced in July, turned out to be five times bigger than the first, the government took a different approach. However, it took weeks to develop contract requirements, and the victim notification process was delayed.

“Taking this much time to notify government employees that their very confidential, personal information was stolen is extremely detrimental for two reasons,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based Knowbe4, said. “First, trust in our government's ability to protect data in general and in the future is badly damaged, and second, it leaves open a criminal window of opportunity to misuse this data that is way too long.”

This time around, the chosen credit monitoring firm will have to handle more than five times as many victims. Services will include a range of protection from basic credit reporting to in-depth identity monitoring, as well as identity theft insurance and a restoration program for identity theft victims.

The new contract, which provides data breach response services for three years to individuals impacted by the recent OPM incidents, also specifically requires that contractors' call center wait times do not exceed an average of 10 minutes.

The General Services Administration, Defense Department and OPM asked Naval Sea Systems Command, a division that normally deals with high-dollar contracts, to put out a request for a quote from interested bidders. The eventual contract award will be a made through an interagency collaborative process involving GSA, OPM and the Office of Management and Budget, officials said.

“As with any breach, time is of the essence, and this is no different,” Ondrej Krehel, founder/principal of the New York City-based cybersecurity intelligence firm LIFARS, explained. “The problem though, is that it could potentially be quite a while before everything is shored up, and if it even makes the deadline. This is a major problem with cybersecurity, most people take the 'I'll never be hacked' security approach. By the time they find out, they'll already be months behind and then they still have investigation and remediation to handle.”

This time frame, Krehel cautioned, can be exacerbated when no plans or existing contracts are in place, and when the breached organization has to scramble to make deals instead of acting on it right away.

“Even reactive solutions need to be put proactively in place,” he said.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).